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BRIEF  DESCRIPTION  OF  PORTFOLIO: 

Fund  science  that  will  enable  the  AF  and  DOD  to  dominate 
cyberspace:  Science  to  develop  secure  information  systems  for  our 
warfighters  and  to  deny  the  enemy  such  systems. 

LIST  SUB-AREAS  IN  PORTFOLIO: 

1 :  SOS-Science  of  Security 
2:  Secure  Humans 
3:  Secure  Networks 
4:  Secure  Hardware 
5:  Covert  Channels 
6:  Execute  on  Insecure  Systems 
7:  Secure  Data 

8:  Secure  Systems-Security  Policy 
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MOTIVATION  PICTURE 


•  Cyber  Security  basic  research  has  the 
potential  to  change  the  current  balance 
that  favors  the  attackers 

•  Discovery  and  development  of  a  Science 
of  Cyber  Security  (SOS)  should  be 
vigorously  pursued 

•  Develop  methods  to  execute  mission 
while  under  attack 


TECHNICAL  IDEAS 

•  Science  of  Security:  formally  model 
relationships  between  attacks,  defenses 
and  policies  and  invent  good  metrics 

•  Develop  a  theory  of  Covert  Channels 

•  Pursue  methods  to  execute  mission  on 
insecure  components 


PAYOFF 


•  Inherently  secure  software  and  hardware 
systems  can  be  deployed  in  the  future 

•  Covert  channels  can  be  anticipated  and 
denied  or  used 

•  Insecure,  distributed  systems  can  be 
used  to  execute  the  mission 
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SOS  Laws:  Analysis  and 

Synthesis 


•  Science: 

-  Laws  or  theories  that  are  predictive 

•  Analysis:  Given  an  artifact,  predict  its 
properties... 

-  Qualitative  properties:  What  it  does? 

-  Quantiative  properties:  How  well? 

•  Synthesis:  Compose  artifacts  with  given 
properties  to  obtain  a  new  one  with 
predictable  properties. 
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SOS:  Laws  about  What? 


Features: 

*  Classes  of  policies 

*  Classes  of  attacks 

*  Classes  of  defenses 
Relationships  (=  SoS) 

*  Defense  class  D  enforces  policy 
class  P  despite  attacks  from  class  A. 
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AFOSR  MURI  Project  Sept  23,  2011 

Science  of  Cyber  Security:  Modeling, 
Composition,  and  Measurement 


Anupam  Datta  (CMU) 

Joe  Halpern  (Cornell) 

John  Mitchell  (Stanford,  PI) 

Andrew  Myers  (Cornell) 

Andre  Scedrov  (U  Penn) 

Fred  Schneider  (Cornell) 

David  Wagner  (UC  Berkeley) 

Jeannette  Wing  (CMU) 

Ittai  Abraham  (Microsoft  Research,  unfunded  collaborator) 


Stanford,  Berkeley,  Carnegie-Mellon,  Cornell,  U  Penn 
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SOS  MURI  Goals 
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*  Scientific  objective 

-  Advance  the  science  base  for  trustworthiness  by 
developing  concepts,  relationships,  and  laws  with  predictive 
value. 

•  Technical  approach 

-  Security  modeling:  characterize  system,  threats,  and 
desired  properties.  Leverage  game-theoretic  concepts  to 
model  incentives  for  the  defender  and  attacker. 

-  Composition:  develop  principles  for  explaining  when 
security  schemes  compose,  and  how  to  achieve 
compositionality. 

-  Security  Measurement:  goals  include  determining  relative 
strengths  of  defense  mechanisms,  evaluating  design 
improvements,  and  calculating  whether  additional 
mechanism  is  warranted  based  on  attacker  and  defender 
incentives 
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Science  Base  for 

Evaluation  and  Characterization  of 
System  Trustworthiness-SOS 

Metrics 


Fred  B.  Schneider 

Department  of  Computer  Science 

Cornell  University 
Ithaca,  New  York 
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Kinds  of  Analysis  Laws 


•  Analysis:  Given  an  artifact,  predict  its 
properties... 

-  Qualitative  properties:  What  it  does. 

-  Quantitative  properties:  How  well  it  works. 

•  Synthesis:  Compose  artifacts  with  given 
properties  to  obtain  a  new  one  with 
predictable  properties. 


DISTRIBUTION  A:  Approved  for  public  release;  distribution  is  unlimited. 


•  Users:  Purchasing  decisions 

-  Which  system  is  the  better  value? 

•  Builders:  Engineering  trade-offs 

-  Select  among  different  designs? 

•  Researchers:  Evaluating  new  ideas 

-  Basis  for  declaring  success! 


Fred  B.  Schneider,  Cornell 
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“jj  is  a  security  metric”  should  mean... 

-  |j:  Systems  ->  Vais,  where: 

•  <  is  a  partial  order  on  Vais 

...  so  theory  applies  to  more  “metrics”.  E.g., 
p(S)  =  {all  attacks  that  compromise  S} 

•  p(S)  is  efficiently  computable 

•  x<y  is  efficiently  computable 

Intent:  <  reflects  “actual  security”,  so 

|j(S)<  |j(S’)  means  S  is  less  secure  than  S’ 


Fred  B.  Schneider,  Cornell 
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Properties  of  Security  Metrics 


Define:  S«S’  -  S  is  “less  secure  than”  S’ 
Soundness  of  u:  (Useful  for  users) 

|j(S)<  p(S’)  implies  S«S’ 
Completeness  of  u:  (Useful  for  engineers) 
S«S’  implies  p(S)<  p(S’) 
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S«S’:  The  Fine  Print 


If  S«S’  holds  then... 

S,  S’  must  implement  “same”  specification: 

-  Specification  defines  an  interface. 

•  All  interactions  with  the  system  involve  actions  in  this  interface. 
E.g.,  Includes  side-channels. 

-  Specification  describes  expected  effects  of  actions 
at  the  interface. 

An  attack  is  an  input  that  causes  the 
specification  to  be  violated. 
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The  $64,000  Question! 


For  what  classes  of  specifications  do  there  exist 
sound  (and  complete?)  security  metrics? 

Conjecture: 

-  Expressive  specs  IMPLY  security  metric  p  must  be 
undecidable  or  p  incomplete. 

-  Security  metric  p  decidable  and  soundness  IMPLY 
F  expressiveness  is  bounded  by  static  type 
checking. 
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Non-lntrusive  Media  Forensics 

Framework 


K.  J.  Ray  Liu  and  Min  Wu 

Department  of  Electrical  and  Computer  Engineering 
University  of  Maryland,  College  Park 
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•  Very  little  consideration  has  been  given  to 
operations 

-  Designed  to  remove/falsify 
intrinsic  fingerprints 

-  Create  undetectable  forgeries 

•  The  study  of  anti-forensics  is 

-  Identifies  weaknesses  in  existing 
forensic  techniques 

-  Important  for  the  development  of 
tools  to  detect  the  use  of  anti-forensic 
operations 


anti-forensic 
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•  ENF:  Electrical  Network  Frequency 

-  60  Hz  in  North  America,  50  Hz  elsewhere  (50/60  Hz  in  Japan) 

-  Electro-magnetic  (EM)  field  from  power  grid  interferes  with  electronic 
recording  mechanisms  (Sensors) 

•  ENF  varies  slightly  from  50/  60  Hz  over  time 

-  Deviations  depends  on  regulations:  ~  on  the  order  of  0.05-0.1  Hz 

-  Main  trends  are  the  same  over  the  power  grid  [1] 


ENF  can  be  “heard”  and  “seen” 

-  Present  in  audio  recordings  near  power  sources 

-  We  showed  luminance  of  indoor  lightings  fluctuates  based  on  ENF 

•  Captured  by  optical  sensors:  photo  diode,  CCD  camera  sensors,  etc. 


-  Random  deviations  can  be  used  as  fingerprints  for  multimedia 
content: 


•  Determine  the  time  and  place  of  recordings 

•  Detect  tampering  in  the  multimedia  content;  bind  video  and  audio 


M  C.  Grigoras.  Applications  of  ENF  criterion  in  forensics:  Audio,  video,  computer  and 
telecommunication  analysis.  Forensic  Science  International,  167(2-3):136  -  145,  April  2007. 
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Time  (in  seconds) 


Verify  Time  of  Recording 


Video  ENF  signal  Power  ENF  signal 


Normalized  correlation 


ENF  matching  result  demonstrating  similar  variations  in  the  ENF  signal 
extracted  from  video  and  from  power  signal  recorded  in  India 


■  Aliasing  Challenge  with  video:  temporal  sampling  rate  lower  than  ENF 

■  Our  recent  results  from  US,  China,  and  India  power  grids 

■  Exploit  signal  processing  to  harvest  from  aliasing 

-  Highest  correlation  between  power  ENF  and  video  ENF  signal  corresponds  to  the 
time  at  which  recording  took  place 
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Tampering  Detection 

ENF  matching  result  demonstrating  the  detection  of 
video  tampering  based  on  the  ENF  traces 


ENF  signal  from  Video 


•  Adding  a  clip  between  the  original  video  leads  to 
discontinuity  in  the  ENF  signal  extracted  from  video 


*  Clip  insertion  can  also  be  detected  by  comparing  the 
video  ENF  signal  with  the  power  ENF  signal  at 


w  Forensic  Binding  of  Audio  and  Visual 

Tracks 


ENFs  in  audio  and  video  tracks  captured  at  the  same 
time  have  high  correlation 
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(a)  ENF  signal  from  the  audio  track 
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(b)  ENF  signal  from  the  video  track 


Research  questions  ahead: 

(1)  How  to  accurately  estimate  and  match  weak  and  noisy  ENF? 

(2)  Can  ENF  be  removed?  Tampered?  (3)  How  to  prevent  anti- 

foreniscs  on  ENF? . 
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19-23  SEPTEMBER  2011 
ALINGTON,  VA 


High  Performance  Semantic 
Cloud  Auditing 


Keesook.Han@rl.af.mil 


Develop  High  Performance  Semantic  Cloud  Auditing  Technologies  and  Applications 
that  includes  Comprehensive  Cloud  Auditing  Data  Capturing,  Analysis  and 
Rapid  Response  to  Improve  Cloud  Quality  of  Services. 
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Cloud  Research 
Facilities 


University  of  Texas  at 
San  Antonio 


Texas  A&M 
University 


University  of 

South  Carolina 

FlexFarm  (HoneyfarmJ&FlexCloud: 
Institute  for  Cyber  Security 


Cisco  Test  Engineering  Center 
Cisco  Cloud  Testing  Lab 


Router  Testbed:  Center  for 
Information  Assurance  Engineering 


r 

University  of  Texas  at 

Dallas 

L 

SUNY 

Binghamton  University 

University  of  Illinois  at 
Urbana  Champaign 

UTD  Secure  Cloud  Repository: 
Hadoop  File  System 


GPGPU  Cluster:  Real-Time 
Embedded  Systems  Lab 


Coordinated  Science  Lab  Assured 
Assured  Cloud  Computing  Center 


Tennessee  State 
University 


Rochester 

Institute  of  Technology 


University  of 
Pittsburgh 


Center  of  Excellence  in  Information 
Systems  and  Engineering  Management 


Networking,  Security,  and  Systems 
Administration  Labs 


Swanson  Institute  for 
Technical  Excellence 


University  of  Missouri 
Kansas  City 


Georgia  Institute  of 
Technology 


Networking  &  Multimedia 
System  Lab 


GPGPU  Cluster: 
CONDOR  Supercomputer 


Foundations  of  Data  and  Visual 
Analytics  Center 
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Conclusion 


Develop  Efficient  Information  Theoretic  Metadata  and  Aggregation:  Fast  Information  Exploitation  of 
Massive  Cloud  Auditing  Data  for  Rapid  Response 


•  Access  Control:  “Advanced  Access  Control  for  Assured  Clouds” 


Cloud  Security:  “Honeyfarm  Data  Capturing,  Rapid  Sharing  and  Exploitation  of  Malicious  Traffic  for  Cloud 
Security” 


Customized  Hadoop:  “Massive  Cloud  Auditing  Using  Data  Mining  on  Hadoop” 
Secure  Hadoop:  “Assured  Information  Storage  and  Sharing  on  Hadoop” 


GPGPU  Computing:  “High  Performance  Processing  of  Cloud  Auditing  Data  Using  GPGPU  Many-Core 
Parallelism” 


SLA-based  Cloud  Service  Workloads:  “Dynamic  Mapping  of  Cloud  Resources  to  Meet  Service  Level 
Agreement  (SLA)-based  Cloud  Service  Workloads” 


Traffic  Control:  “Router-Based  Filtering  and  Rerouting  to  Traffic  Control  in  Cloud  Computing” 

Outage  Management:  “Router-Initiated  Network  Outage  Management  for  Multitenant  Clouds” 

File  Transfer:  “Bandwidth  Intensive  Multimedia  Data  Transfer  for  Smartphone-Friendly  Cloud  Services” 


Nr  OR)' 
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Detection  of  Covertly  Embedded 
Hardware  in  Digital  Systems 


Douglas  H.  Summerville 

Associate  Professor 
Electrical  and  Computer  Engineering 
State  University  of  New  York  at  Binghamton 
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Covertly  Embedded  Trojan 


•  Malicious  circuit  embedded  in 
“implementation  space”  of  its  host 
-  Neither  functional  nor  parametric 

•  Trojan  uses  existing  resources  that  are 
artifacts  of  the  host’s  implementation 

•  No  alteration  of  functional  characteristics  of 
host,  therefore  not  testable 

•  Can  be  combinational  or  sequential  circuits 
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The  Embedding 


*  Covert  Hardware  alters  the  circuit’s  behavior 
in  the  “don’t  care”  space 

•  In  effect,  two  circuits  co-exist  in  the  same 
physical  hardware 

-  The  original  circuit,  only  exercised  during  normal 
operation 

-  The  malicious  circuit,  exercised  by  special  trigger 
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Motivating  Assumption 


•  Assume  general 
case  is  unsolvable 

•  In  practice,  standard 
design  approaches 
generate  a  small 
fraction  of  possible 
implementations 

•  We  focus  on 
securing  few 
practical  cases 


Valid  Circuit  Implementations 
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Structural  Circuit  Analysis 


•  Can’t  look  at  circuit’s  function,  so  look  at  its 
structure 

•  Exploits  how  design  approaches  optimize  for 
speed,  area,  power,  etc.  in  deterministic  ways 

-  Contributing  regularity  to  circuit  structure 

•  Identify  structural  characteristics  of  circuits 
that 

-  Result  from  standard  design  approaches 

-  Are  removed  or  altered  by  tampering 

•  Restrict  optimization  to  solutions  in  that 
space 

-  tradeoff 
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Detecting  Hidden  Communications 

Protocols 


R.  R.  Brooks 

Associate  Professor 

Holcombe  Department  of  Electrical 
and  Computer  Engineering 

Clemson  University 

Clemson,  SC  29634-0915 

Tel.  864-656-0920 

Fax.  864-656-1347 

email:  rrb@acm.org 
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Detection  of  Hidden  Communications 

Protocols 

Richard  Brooks:  rrb@acm.oro.  Clemson  University 


Objective 

Detect  use  of  tunneled  communications 
protocols  and  infer  their  current  internal 
state 

•  Private  communications  often  tunneled  through 
virtual  private  networks  (VPNs) 

•  Mix  networks  tunnel  connections  for  anonymity 

•  Tunneling  tools  (ex.  ssh,  ssl,  TOR)  have  timing 
vulnerabilities 

•  Hidden  Markov  models  (HMM)  and  probabilistic 
grammars  will  detect  protocol  use,  infer  network 
flows,  partially  decipher  content 


DoD  Benefit: 


Technical  Approach: 


Detection  of  tunneled  communications 
protocols 

In  some  cases  (ex.  interactive  ssh),  partially 
decipher  message  contents 

Determination  of  communications  patterns 
in  mix  networks,  such  as  TOR 

Detection  of  timing  side  channel  attack 
vulnerabilities  in  DoD  networks 

DISTRIBUTION  A:  Approved  for  public  release;  distribution  i^  unlimited 


Collect  inter-packet  timing  information  from 
tunneled  sessions 

Zero-knowledge  HMM  model  inference 
Determination  of  HMM  statistical  significance 
Tracking  HMM  transitions  driven  by  network  flow 
inter-packet  timing  data  detects  protocol  use 
Viterbi  algorithm  finds  maximum  likelihood  Markov 
state  sequence 

Two  point-to-point  connections  with  same  Markov 
state  sequences  (Viterbi  paths)  are  likely  data 
source  and  sink 
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Active  Defense: 
Reactively  Adaptive  Malware: 
Attacks  &  Defenses 

Kevin  W.  Hamlen  &  Latifur  Khan 
University  of  Texas  at  Dallas 

AFOSR  Contract  FA9550-1 0-1  -0088 

September  2011 
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^g^Attacks  Upon  Signature-matcher 


•  Randomize  features  during 
propagation 

-  Polymorphism 

•  encrypt  payload  with  randomly 
chosen  key 

-  Oligomorphism 

•  randomly  re-assemble  decryptor 

-  Metamorphism 

•  non-deterministically  recompile 
decryptor  and/or  payload 

•  Weakness:  Undirected 
mutation 


decryptor 
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•  Three  challenges: 

1 .  Covertly  harvest  data  about  victim  defenses 
(malware  signature  databases) 

2.  Mine  harvested  data  effectively 

3.  Derive  new  mutation  strategy  from  inferred 
model 
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Hardware,  Languages,  &  Architectures  for 
Defense  Against  Hostile  Operating  Systems 

(DHOSA) 


V.  Adve,  UIUC 
K.Asanovic,  UC  Berkeley 
D. Evans,  UVA 
S.King,  UIUC 
G.Morrisett,  Harvard 
R.Sekar,  U  Stony  Brook 
D.Song,  UC  Berkeley 
D. Wagner  (PI),  UC  Berkeley 

http://www.dhosa.org/ 
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The  Approaches 


Advances  that  cut  across  traditional 
disciplines: 

•  new  OS  and  software  architectures 

•  new  hardware  architectures 

•  new  policy  enforcement  techniques 

•  new  techniques  for  trustworthiness 

•  new  coding  techniques 
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Binary  translation 
and 

emulation 


Formal  methods 


TRANSFORMATION 


r. 


HARDWARE 


Hardware  support  for 
isolation 


Dealing  with 
malicious  hardware 


e.g.,  Prevent 
— >  data 
exfiltration 
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e.g.,  Enforce 
properties 
— >  on  a 
malicious  OS 


Cryptographic 

secure 

computation 


Data-centric 

security 


Secure  browser 
appliance 
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